image
A hacking forum this week published details of more than 10.6 million guests who stayed at MGM Resorts on a hacking forum, the result of a breach due to unauthorized access to a cloud server that occurred at the famous Las Vegas hotel and casino last summer. The incident—revealed in a published report on ZDNet Wednesday–once again highlights the importance of securing data stored on the cloud as well as the ripple effect breaches can have for companies and victims even long after they’ve occurred. Personal details found on the forum included full names, home addresses, phone numbers, emails and dates of birth for 10,683,188 guests who had previously stayed at the MGM Resorts, according to the report. Those guests included celebrities, tech CEOs, reporters, government officials, and employees at some of the world’s largest tech companies. ZDNet worked with a security researcher at Under the Breach, a soon-to-be-launched data-breach monitoring service, to confirm the authenticity of the data on the forum, and then reached out to MGM Resorts and some of the people affected by the breach for further confirmation. MGM almost immediately confirmed the breach to ZDNet, linking it to a security incident that happened last summer, according to the report. Following the breach, the company conducted an internal investigation using two cybersecurity forensics firms, officials said. “Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of…

Source

image
A ransomware attack has hit a natural gas compression facility in the U.S., the feds have warned. The attack resulted in a two-day pipeline shutdown as the unnamed victim worked to bring systems back online from backups. The attackers were able penetrate the IT portion of the facility’s network, and then move beyond that to eventually infiltrate the control and communication assets on the operational technology (OT) side of the house. The Cybersecurity and Infrastructure Security Agency (CISA) said in an alert issued this week said that the attackers successfully spearphished an employee to gain initial access. This initial compromise to the IT network led to the cyberattacker deploying a “commodity ransomware” to encrypt data on both the IT and the OT networks. The ability to pivot was thanks to a lack of network segmentation between the IT and the OT portions of the infrastructure, CISA said. Security firm Dragos said that despite limited technical details, previous ransomware attacks provide a possible attack blueprint: “Current trends in ransomware leverage initial access into victim environments to capture credentials or compromise Windows Active Directory (AD) to gain widespread access to the victim’s entire network,” it said in a blog post on Wednesday. “Once achieved, the attacker can then utilize malicious scripts and legitimate remote execution tools like PSExec to stage ransomware, or even push malicious software via AD Group Policy Objects. The result is all…

Source

image
While Microsoft issued patches for the infamous BlueKeep vulnerability almost a year ago, researchers warn that almost half of connected medical devices in hospitals run on outdated Windows versions that are still vulnerable to the remote desktop protocol (RDP) flaw. Researchers said they found that 22 percent of a typical hospital’s Windows devices were vulnerable to BlueKeep. Even worse, the number of connected medical devices running Windows that are vulnerable to BlueKeep is considerably higher — around 45 percent, they said. Vulnerable medical devices can include MRIs, ultrasounds, X-rays, and more, which run on operating systems — typically Windows – allowing their operators to more easily collect and upload data. “For hospitals, the task of monitoring vulnerabilities, identifying affected devices, chasing down suitable patches, and distributing those patches across a sprawling campus is tedious, to say the least,” said researchers with CyberMDX in their “2020 Vision” report on medical security, released Tuesday. “This process is slow and inefficient, as the hospitals usually do not know which devices or security issues to attend to first.” The BlueKeep flaw (CVE-2019-0708) was fixed during Microsoft’s May 2019 Patch Tuesday Security Bulletin. System administrators were urged to immediately deploy fixes as the flaw could pave the way for a similar rapidly-propagating attack on the scale of WannaCry. In the months following the disclosure of BlueKeep, researchers…

Source

image
Attackers are sending SMS messages purporting to be from victims’ banks – but once they click on the links in the text messages, they are asked to hand over their banking credentials and download a file that infects their systems with the Emotet malware. Emotet has continued to evolve since its return in September, including a new, dangerous Wi-Fi hack feature disclosed last week that can let the malware spread like a worm. Now, this most recent campaign delivers the malware via “smishing,” a form of phishing that relies on text messages instead of email. While smishing is certainly nothing new, researchers say that the delivery tactic exemplifies Emotet’s operators constantly swapping up their approaches to go beyond mere malspam emails – making it hard for defense teams to keep up. “Emotet’s operator, the Mealybug gang, has varied its activity levels over time, sometimes going into lengthy lulls and periods of low-volume activity,” said researchers with IBM X-Force in a Wednesday analysis. “Since late 2019, Mealybug has been pushing its activity through various channels, including spam, sextortion emails, SMiShing and ploys like fake Coronavirus warnings that were spread in Japan.” The SMS messages purport to be from local U.S. numbers and impersonate banks, warning users of locked bank accounts. The messages urge victims to click on a link, which redirects them to a domain that’s known to distribute Emotet (shabon[.]co). Visually, when victims click on the link they see…

Source

image
Networking software giant Citrix Systems says malicious hackers were inside its networks for five months between 2018 and 2019, making off with personal and financial data on company employees, contractors, interns, job candidates and their dependents. The disclosure comes almost a year after Citrix acknowledged that digital intruders had broken in by probing its employee accounts for weak passwords. Citrix provides software used by hundreds of thousands of clients worldwide, including most of the Fortune 100 companies. It is perhaps best known for selling virtual private networking (VPN) software that lets users remotely access networks and computers over an encrypted connection. In March 2019, the Federal Bureau of Investigation (FBI) alerted Citrix they had reason to believe cybercriminals had gained access to the company's internal network. The FBI told Citrix the hackers likely got in using a technique called "password spraying," a relatively crude but remarkably effective attack that attempts to access a large number of employee accounts (usernames/email addresses) using just a handful of common passwords. In a statement released at the time, Citrix said it appeared hackers "may have accessed and downloaded business documents," and that it was still working to identify what precisely was accessed or stolen. But in a letter sent to affected individuals dated Feb. 10, 2020, Citrix disclosed additional details about the incident. According to the letter, the attackers…

Source

image
Hamas has been caught taking a classic “catfish” approach, to tempt Israeli soldiers into installing spyware on their phones. Members posed as teen girls who are looking for quality chat time. This is the third time that the Palestinian group has used the tactic – but this time it upped its technical game. According to the Israel Defense Forces (IDF), the Palestinian group took to Facebook, Instagram and Telegram under the guise of six social media personae: Sarah Orlova, Maria Jacobova, Eden Ben Ezra, Noa Danon, Yael Azoulay and Rebecca Aboxis. The IDF tweeted out a short notice on the campaign, which it said it disrupted: Hamas created fake social media profiles, using photos including this one, in an attempt to hack the phones of IDF soldiers. What Hamas didn’t know was that Israeli intelligence caught onto their plot, tracked the malware & downed Hamas’ hacking system.#CatfishCaught — Israel Defense Forces (@IDF) February 16, 2020 The IDF told the Times of Israel that the idea was to catch male targets’ attention, strike up a rapport and eventually lure the soldiers into installing a special app on their phones. The apps purported to allow private chatting where posts disappear after a time, a la Snapchat. The apps were called Catch & See, ZatuApp and GrixyApp. The ‘ladies’ claimed to be immigrants to Israel with a “lack of full command of the Hebrew language,” and with vision and hearing problems (in an effort to explain away spelling and grammatical errors). The…

Source

image
Visibility into an environment attack surface is the fundamental cornerstone to sound security decision making. However, the standard process of 3rd party threat assessment as practiced today is both time consuming and expensive. Cynet changes the rules of the game with a free threat assessment offering (click here to learn more) based on more than 72 hours of data collection, enabling organizations to benchmark their security posture against their industry vertical peers and take actions accordingly. Cynet Free Threat Assessment (available for organizations with 250 endpoints and above, from North America and Europe) spotlights critical, exposed attack surfaces and provides actionable knowledge of attacks that are currently alive and active in the environment. Indication of live attacks: active malware, connection to C&C, data exfiltration, access to phishing links, user credential theft attempts and others: Host and app attack surfaces: unpatched vulnerabilities rated per criticality: Benchmark comparing the organization’s security posture to the industry average: Weighted risk score built from all findings and activity. User identity attack surface: risk scoring for each user account. The security assessment’s objective is to enable security decision-makers to get clear visibility into their actual security needs, so they can make an informed decision on how to address them within their available resources. Given that the price of such an assessment for…

Source

image
This tax season crooks are targeting users with a new crop of scams that include leveraging remote desktop software and compromising small tax-prep company websites. “If you have the word ‘tax’ in your domain name; you’re a target this year,” warns Sherrod DeGrippo, senior director of threat research and detection at Proofpoint in a report released Wednesday. The attacks are emerging alongside the traditional e-mail based attacks that try to trick users into installing malware that can steal credentials or take control of systems. One of the new target tax scams leverage the legitimate TeamViewer remote-control app to do its dirty work, he wrote. Other email-based attacks this year leverage more traditional malware like The Trick banking trojan. Attackers this year are focusing on smaller tax-preparation firms probably because “smaller companies often have fewer resources and less expertise to prevent these attacks and detect them when they’ve happened,” he wrote. Some rather unlikely sectors emerged as more likely threats during the 2019 tax season—in particular, the construction industry which, alongside financial firms, are at higher risk of attack this year, he said. “The construction industry targeting in particular is a reminder that no one sector is immune,” DeGrippo wrote. Attacks on these legitimate small-business sites observed by Proofpoint this year target ones with unpatched and out-of-date WordPress or other content-management installations to take control of…

Source

image
Just ahead of its Champion’s League Round of 16 appearance next week, FC Barcelona’s official Twitter account was hacked in an apparent credential-stuffing attack. The strike resulted in account takeover and bogus tweets being sent out. The hacking collective known as OurMine, which made headlines for taking over official Twitter accounts for 15 different NFL teams in January, took credit for the attack on Saturday. This is the second time that “Barca” (as the Spanish powerhouse is affectionately known) has been an OurMine target: The group took aim the Spanish team back in 2017 as well, attacking its Twitter and Facebook pages. OurMine claims to hack sites with good intentions, to help targets “improve your accounts security” as it said in one of the tweets (now deleted). It also claims to choose its targets at random. However, the group does appear to do its homework on its targets. One of the tweets in this case included an intimation that Brazilian star Neymar Jr. will return to the club. He left FC Barcelona to play for Paris Saint-Germain back in 2017, and the rumor mill has been circulating the idea that he could rejoin Lionel Messi and Luis Suarez on his old team this summer. OurMine have hacked the official Barcelona and Olympic Twitter accounts and posted these tweets 😂😂 pic.twitter.com/1WEzLemTvl — UTFR 🇾🇪 (@ManUtd_HQ) February 15, 2020 “FC Barcelona’s Twitter accounts have been hacked, which is why messages from outside our club have appeared, and which have…

Source

image
Connected doorbell-maker Ring is now requiring two-factor authentication (2FA) for all users when they sign into their accounts. The new requirement comes after Ring faced a backlash in December following a rash of disturbing hacks and security issues tied to the smart doorbell. While Amazon-owned Ring offered 2FA as an option to customers before, now the second layer of verification will be mandatory to all users. That means that when users log into an account, they’ll receive a one-time, six-digit code (via email or phone) to verify their login attempts, which they will need to enter before receiving access to their Ring accounts. “This added authentication helps prevent unauthorized users from gaining access to your Ring account, even if they have your username and password,” said Leila Rouhi with Ring, in a note to customers posted Tuesday. The new measures come on the heels of a Motherboard investigation in December that discovered serious security holes in Ring doorbells. As part of the security testing, Motherboard logged into a Ring account (both on the app and the website) with its corresponding email and password from various IP addresses worldwide. While Ring offered 2FA as an option at the time, Motherboard found in multiple tests that people who were already logged into the app didn’t need to log back in after 2FA was already enabled (though Ring did log users out after password changes). The report also found that no alert was triggered notifying the Ring…

Source